But in Apple’s latest Mac security update, when Mavericks 10.9.2 was released, the company published security fixes for Lion and Mountain Lion at the same time.

Poor Snow Leopard (OS X 10.6) is left out in the cold.

It’s time to get Mavericks

In order to get Mac users to upgrade to OS X 10.9 Mavericks, Apple is giving away the upgrade for free: a good move by Apple, but not everyone is up to date.

Since Apple released Mavericks in October 2013, a lot of people have upgraded, but the majority of Mac users are still running something older.

For business users, companies have been even slower to upgrade than home users.

Our own survey of Macs running Sophos Anti-Virus, conducted at the start of 2014, showed that only about 18% of enterprise Mac users are running Mavericks, with 19% still running the out-of-support Snow Leopard.

Mavericks came out of the gate with numerous security improvements, and we recommend that the first thing you should do to stay secure on your Mac is to upgrade.

Just click on Software Update.. in the Apple menu to download Mavericks, or visit the Mac App Store.

Be warned: it’s a big update, totalling about 6GB for the Mavericks download and the update to the latest point release, OS X 10.9.2.

But you will be moving forward to the latest, fully-supported-and-patched OS X version.

Once you’ve upgraded to Mavericks, which you can consider our Tip Zero if you like, here are five steps you can take to give yourself an edge against cybercrime:

1. Stay current with security updates

It’s easy to keep your Mac up to date with security fixes.

You can use Software Update.. from the Apple menu to check for updates manually, or go to Apple Menu|System Preferences|App Store to set up your Mac to check for updates automatically:

OS X malware is much less common than malware attacking Windows, with the result that many Mac users seem to have adopted a rather casual attitude to security patches.

But cybercriminals are definitely trying to exploit Mac users who fall behind.

Apple’s own employees had their Macs compromised by malware in February 2013 via a vulnerability in Java that criminals also exploited to compromise Mac users at Microsoft and Facebook around the same time.

In 2012, an attack on another vulnerability in Java infected 600,000 Macs with the Flashback malware (including some in Apple’s Cupertino headquarters).

The truth is, you probably don’t need Java to use the web, so having the Java plugin enabled just puts you at needless risk.

If you find that you do need Java after all, you can always turn it back on again.

3. Don’t forget security updates for non-Apple software such as Java and Flash

If you use Oracle Java and Adobe Flash, remember that they have their own security patches to apply.

→ Unfortunately, Oracle and Adobe use different update calendars. Oracle issues regular security patches on the Tuesday closest to the 17th of April, July, October and January. Adobe’s red-letter days are the second Tuesday in March, June, September and December.

In addition to scheduled updates, both Adobe and Oracle sometimes issue emergency fixes, often called out-of-band updates.

On Mavericks, Flash and Java have their own configuration items in the System Preferences window:

Both products can be set up to check for updates automatically:

4. Use Mac FileVault for full-disk encryption.

With so many ways for your files to fall into the wrong hands, full disk encryption (FDE) is an important defense.

If your whole disk is encrypted, no one without the encryption key can access any data on it at all.

Macs have the benefit of easy full-disk encryption with Mac FileVault.

You can turn on FileVault by going to System Preferences|Security & Privacy|FileVault:

When you turn on FileVault, you’ll get a back-up code, called the “recovery key,” in case you forget your password.

Write this code down and store it in a safe place.

5. Use a Mac anti-virus

There are still OS X threat deniers out there who tell us that they consider malware in its traditional sense to be impossible on OS X, “because you have to click on and run a program by yourself and then type your admin password into the warning popup.”

Really? (And, if so, is that the fault of the SSD firmware or of Mavericks?)

Remember that there are IT teams out there that are still running Windows XP, and consider their reasons to be scientific 🙂

I don’t mean to cast nasturtiums on your IT team, but if what they claim has a scientific basis, why don’t they say “we recommend 10.9 unless you have upgraded your Mac’s hard disk to one of these SSD models. [List included.]”

If I had a third-party SSD that my IT guys thought might cause trouble if used with _any_ current mainstream OS version, I’d be inclined to replace it with an SSD that did not display that sort of instability. That’s because my inclination, albeit that it might be wrong or even ill-informed, would be to distrust the SSD firmware as much as the OS.

I had no problems after upgrading to Mavericks, but when I upgraded from Lion to Mountain Lion it deleted the drivers for my Brother printer and Agfa scanner without warning. Admittedly they were old (1999) but still working 100%. I had to seek and pay for third party drivers. Surely it would do Apple no harm to leave all drivers in place when they upgrade their OS. They only occupy a few Kbytes, and no-one’s going to mount a cyber-attack via 1999 printer software!

Upgrade from Lion, or from Snow Leopard? If you have Mac software from 1999, it’ll be compiled for the PowerPC processor, and not even for OS X, which wasn’t out then. Apple dropped the PPC and switched to Intel chips in 2006 for its Mac range. For a while, you could run old PPC software using an emulation/translation layer called Rosetta. This allowed old apps to run, but not as well as modern apps. Apple removed Rosetta from the default install of OS X in 10.6, and binned it for ever in 10.7.

Although Macs are traditionally believed to be less prone to cyber-criminal attacks, recent developments have shown that malware writers are concentrating more and more on finding vulnerabilities in MacOS and popular Mac applications.

Apple isn’t saying because that would mean going on record with their total absence of long term support, and they don’t want to do that. They keep you guessing just so people will assume there more support than the actually give.

Great Advice – as long-term Mac users (for Graphic Design/Print), we have used anti-virus for many years. HOWEVER, people updating to Mavericks should be aware that there are many (expensive!) programmes – in Graphics Arts especially, which are not compatible in their older versions. Check absolutely that your versions are compatible before upgrading, or be prepared to pay for the “Mexican Hut” in the Cloud or a major upgrade to the big “Q”!

Isn’t it an irony that the more expensive the software, and the bigger the vendor, and the more coders and testers they have…

…the slower they are to support the latest version of the operating systems they claim to support 🙂

(Apologies for the unscientific comment. Consider it satirical, not a law 🙂

I switched to Mavericks the day it came out. I found two applications that said they didn’t support 10.9 – and neither vendor could be bothered to say when it might do so.

I used it as an excuse to test the market. I quickly found replacements that I rapidly realised were greatly superior. Perrhaps that’s because the vendors were still actively developing them, not spending time explaining to their customers why they were stuck in the past?

You may be right in your case but I think what @Graham G meant exactly was the fact, that all design people using the Adobe Creative Suits, which are not dirt cheap and which did not really improve the last years do not run on Mavericks any more! You would have to change to the Adobe Cloud and pay monthly. The dream all the big player dream for long – get our money monthly for the time to come – me would too.

Basically everything in this article shown as a security recommendations is the default configuration of the Apple’s OS X. Well, except the introduction (plenty of FUD) and the final recommendation that the user need buy anti-virus tools.

I agree Antonio. The computer security researchers at Sophos do not know what they are talking about, I mean once they touch the surface of a Mac they will understand why Mac’s are invulnerable to all things bad.

Seriously though, my Mac did not come encrypted or prompt me to encrypt the hard drive and it doesn’t automatically set flash and java for auto update. Besides, what is wrong giving security tips so people who are not as security savvy can double check their configuration?

> “The free home version of Sophos Anti-Virus for Mac…”

Lastly, where did it say to buy anti-virus tools? You do realize what FREE means, right?

I agree, the bottom line is that do not have a clue about security, and on top of that they make “recommendations”. A good rule is software is to not change when things work, so NEVER SET “AUTOMATIC UPDATE” – always wait until you have to change. But security in Unix BSD (MacOS) is so well proven so changing things is a huge security violation. Make recommendation that proves you understand what you write about, and remember: OSX is not Windows, OSX has security tags on everything, OSX is proven for decades of hackers.
All updates from Apple shows that they are on a slippery slope – I am fed up with Maverick and will not consider Yosemite – rather Snow Leopard.

For those of us that were left in the dust a long time ago by Apple, all I really do is use Sophos and pray. I’m using Safari 4.1.3 as I’m using an old Apple eMac People PC, running Mac OS X 10.4.11, and really can’t update to anything newer in the Apple world. Java has been turned off for years and I always block pop-ups and browse in private.

You are a real piece of work, you are obviously jealous of Apple and it’s lack of need for people like you and Sophos. I tried Sophos three times on my Macs and it slow the the machine down to a Wintel speed. It didn’t find problems it created them. There are other programs that do a better job and do not slow the machine down. This whole article is to promote you as being brilliant and Sophos as being essential for a healthy Mac. You did not make the sale, but revealed yourself as a Wintel guy that thinks common knowledge is a sign of brilliance.

For a product that isn’t “confirmed dead”, things are nevertheless looking dangerously lifeless on the 10.6 support front, wouldn’t you say?

If I were a gambling man (there’s a song about that!), I’d wager that 10.6 *is* out of support, not least because 10.7 and later all have a different architecture and only work with newer, albeit now fairly old, Macs. As a cut-off point, supporting back to 10.7 makes a lot more sense for Apple than supporting back to 10.6, and can be still be considered reasonably generous.

Think of it as a generational shift.

I’d written off 10.7 and 10.8 as unsupported, too, until they inexplicably got security updates at the same time that 10.9.2 came out. The appearance of updates for those versions and not for 10.6 sounded like a bit of a requiem for 10.6 to me.

(Don’t forget – the SSL bug that wasn’t in 10.6 *wasn’t in 10.7 or 10.8 either*.)

I’d normally be inclined to say yes because of the time since the last update, but keep in mind they still sell Snow Leopard on their store and it received a security update as recently as October, so I’m not sure I’d classify it as confirmed dead, or even dangerously lifeless…and it’s the very fact that they DO have a different architecture is what’s keeping SL alive. Many macs still in service can’t update.

You’re also seemingly assuming that previous versions of the OS have the same bugs (and thereby require simultaneous updates). It’s true that 10.7/10.8 didn’t have the SSL “go-to fail” bug mentioned, but the 10.8 patch corresponding with 10.9.2 DID actually fix a different SSL bug, leaving certain traffic vulnerable to malicious decryption.

Again, I’m not debating the validity/worth of the tips above, all I’m saying is that signaling the end of SL seems a bit…premature to me.

“As recently as October” is what made me consider it dead, not alive 🙂 In fact, the last security update for 10.6 (I’m not counting the Java update that applied to 10.6, just Apple’s “here is a 10.6 security update”) that I can find is dated 12 September 2013.

So we’ve gone from equinox to equinox – with no security updates at all for 10.6. (In that time, 10.9 has had three, 10.8 has had one, and 10.7 has had one. You are invited to extrapolate to the next equinox based on these figures.)

Interestingly, Apple explicitly denotes the OS X 10.9 release as a security fix for “Mac OS X v10.6.8 and later” on the HT1222 page. So, strictly speaking, the most recent security update for 10.6 was in October 2013, and it was called Mavericks 🙂

An OS in the modern era that has had zero security fixes for six months while its more recent versions get several…I’d be inclined to call that unsupported. Or as good as.

That is a tad hyperbolic, no? First, a Java update in a case where it’s embedded in the OS (and not a totally separate install as with Windows) is a security update in my opinion. However, even if we ignore that, the next update is a month earlier, as you noted, as frequent as it is with Microsoft.

As far as Mavericks being a security update: you were reading a security update list (HT1222), and it was referencing several things that promote upgrading if you are able. Similar content can be found for both Vista and Windows 7. Nowhere did it say, “security update for Snow Leopard, install Mavericks now”.

Snow Leopard went through several major revisions (10.6 – 10.6.8) which fixed many things and they’ve slowed down as they’re not making feature additions to the OS anymore. Increased patching frequency for a newer OS isn’t necessarily an indiciation of anything beyond the fact that it’s new code, and new vulnerabilties have been identifed.

Without knowing the specifics, I’d wager that XP patches have slowed (in number, not frequency) as they continue to identify and fix vulnerabilities without adding significant new features (thereby increasing the liklihood that things will need patching). They just happen to have a much larger target on their back thanks to install base, and more eyes on them. They’re also working with a code base that has a 10 year lifespan (more if you count legacy code it was built upon), and continued to have a plethora of changes. That’s more equivalent to OS 10.x than it is 10.6, 10.7, 10.8, etc.

I’m simply not convinced that a six month hiatus of security updates in 10.6 is a healthy sign. Apple does have a history of slow response to security problems (look how long it took to patch the infamous – and serious – sudo bug last year! look how old the SSL bug is that was fixed in the last 10.8 update!), but no patches at all for six months feels unlikely to me.

(Anyway, why doesn’t Apple just say, “Yes, 10.6 is fully supported, and there will be security updates if and when”?)

XP patches may have slowed but I don’t recall a month there hasn’t been at least one…

The harsh reality is that “updates” of late are really down-grades: they eat up your time and money with the need to purchase new software, learn new apps and even recognize new icons. My Acrobat professional would not work on 10.10 without my buying a new Acrobat pro version; the same with some other expensive apps.

I love the Mac and was quite happy with 10.6. I upgraded on my MacBook Air (MBA) to Lion, Mt. Lion, Mavericks, and Yosemite and saw little of value other than an improvement in auto correct within Mail. But the learning curve on all of these “upgrades” was ridiculous and not worth the tradeoff for the lame changes made by Apple.

I was forced to upgrade to Yosemite because 10.6 was not supported by encryption software required by a government institution I was working with. Once I upgraded to 10.10, I experience major slow downs in my OS due to Apps that in the past had not affected my CPU e.g. CrashPlan, Sophos. Now viewing my activity monitor and listening to my hard drive working all the time with these apps running (even after a force quit), I am totally disgusted with 10.10.

What to do? Go back to 10.6 or stay at 10.10 and remove Sophos and CrashPlan?

The fact that Adobe made you pay all over again is hardly Apple’s or OS X’s fault, is it 🙂

Lots of people seem to blame Apple for the fact that their third party vendors want them to keep using older versions of their software on much less secure versions of OS X. (Roll it how you like, it’s hard to argue that 10.10 is *less* secure than 10.6.)

Interested to hear that merely by upgrading to 10.10, Sophos has “slowed down.” Hard to troubleshoot that without a bit more information, such as other software present (possibly software that has never been tested on more recent versions of OS X). Might be worth contacting Support…

I agree that it sucks that Apple provides Mac users with no clear statement of its schedule and policy for support of earlier versions of OS X. It does seem that Snow Leopard users have been rudely abandoned without so much as a nod or a warning.

Unfortunately, “Tip Zero” (install Mavericks) is easier said than done. The fact that Apple doesn’t charge for Mavericks doesn’t make it “free”. It broke many apps and plugins that I rely on for my daily workflow. Developers are gradually releasing fixes, but there are still enough that don’t work in Mavericks to make it not just a nuisance to install it, but an outright impossibility if I want to remain productive. At this point, the lost productivity that would result from installing Mavericks is too high a price to pay for a “free” system.

On the upside, I’m glad to see that Apple is still supporting Mountain Lion…at least for security fixes. Abandoning that version of OS X at this point would be tantamount to twisting the knife.

I hear you, and there is some truth in the idea that Mavericks “broke” old apps.

But (as I alluded to above in replying to the comment by @Graham G) there’s also a sense that it’s the old apps that are “broken.”

Maybe some of the apps you have that don’t work could be replaced by ones that do? Those developers who haven’t updated their apps yet…how quickly would they be able to update in the event of a security hole?

II realize that you’re writing for a much larger audience than someone like me, who has invested a small fortune in pro audio, video, and music software. So I assume your comment about there being “some truth” in the breakage wrought by Mavericks means that it didn’t break anything (or didn’t break much, at least) for most of the Mac users whose hardware will run Mavericks.

That might well be true, but it’s irrelevant to me and to any other user who depends on production software that Mavericks broke. And I’m not talking about poorly supported apps by little known developers with a relatively small user base. I won’t mention them here, but it’s a virtual certainty that you’ve watched movies and listened to music produced with these apps, plugins, and libraries…and if you haven’t, millions of others have. For better or worse, they’re the tools I own. Where it’s even possible to replace them (and in some cases it’s not), the cost would be prohibitive.

Even so, I’ve already replaced many apps with more recent versions (some of which STILL don’t work in Mavericks)—not because I have more dollars than sense, but because I recently updated my system from Snow Leopard (SL) to Mountain Lion (ML). The hell of it is that everything was working perfectly in SL; my workflow zipped right along with no interruptions. But, like you, I’m counting Snow Leopard as essentially dead. I can read the signs. My perfect workflow won’t stay that way if my Mac Pro gets taken down by an attack on an unsupported system.

So I swallowed hard, installed ML on a cloned boot volume on a “test bed” drive, and set myself to the task of spending some time each day testing everything in ML on the test bed drive. As expected, I found many apps that I had to replace (…no Rosetta after Lion). All in all, it took several weeks to plan for and make the transition to ML without a loss of productivity…er, not counting the time it took to make it happen with minimum disruption, and not to mention the cost in replacing software that wouldn’t run in ML.

But there’s no point in grumbling about the forced obsolescence of stuff that’s working perfectly well. It’s a fact of life now. We don’t have to like it, but we do have to deal with it if we want to stay secure. I consider that a responsible approach.

Nevertheless, my paycheck also depends on my productivity, and I have responsibilities there too. My family has grown accustomed to living indoors. Downtime costs money and pays nothing. I don’t appreciate being stuck between a security rock and a productivity hard place. From my perspective, the (apparently) nonchalant attitude that you have observed in Apple’s support of their software doesn’t reflect a high regard for the combined factors of continued productivity, security, and the budgets of Mac users. It seems to me that Cupertino could learn some lessons from Redmond in that regard.

This really peeved me off! I have an older (2006-7) MacBook Pro 15 so I tried upgrading to Mavericks as soon as it came out. I couldn’t upgrade from 10.4 so had to Buy Snow Leopard (10.6), only to find that the hardware wasn’t supported by Mavericks! Even the ‘Evil Empire’ support upgrades to the nasty Windoze 8 on hardware older than 2007 (yes, I know there are minimum requirements) but Apple don’t make it easily known that you should check your hardware FIRST before trying to upgrade.

Your OS version is nine years old and your Mac about eight years old…I don’t think it’s _entirely_ unreasonable to assume you’d check that your computer’s up to the task of running the latest version of any OS. (If you downloaded a modern 64-bit Linux distro, would you blame the Linux Foundation for the wasted bandwidth when it refused to run on your 32-bit processor?)

IMHO, the last great Mac was the beige G3. That said, I own 3 quad core G5’s running 10.4.11, because that was the last OS to support the classic environment, which, btw, Apple promised would always be supported. The reason; I have thousands of dollars invested in classic applications that to this day still do everything I require of a computer. Note that a G5 processes faster than any of the Window XL systems I use at work. If I eventually lose I’net access because of this, so be it.

You should try one of the new quad core Macbook Pros with Retina display and SSD, even if you have to chuck out your old apps and find free open source alternatives 🙂 (You don’t say what your classic apps are.)

Here’s a list of a few of my classic applications: Adobe Acrobat, Adobe Illustrator, Pagemaker, Adobe Photoshop, Aldus Persuasion, SuperPaint, Amazing Slow Downer, Appleworks, BBEdit, CADintosh, CanOpener, Canvas, Corel Graphics, FileMaker, Fontographer, FoxBase, FreeHand, HyperCard, a limited version of MetroWorks Code Warrior, M.Y.O.B., NissusWriter, OmniPage Pro, Practica Musica, Quark Express, Dantz Retrospect, RightWriter, TurboPascal, TypeStyler, TypeTwister, Vellum and my least favorite; Microsoft Office. That’s before I get into all of the MIDI and recording software I have, the utility software that still functions and then there are my classic games. The bottom line is, I have no reason to spend more money to replace applications that do exactly what I need.

BTW, most of all, I miss AppleTalk which networked my Apple laser printer, dot matrix printer (I love carbon copies) and QMS ColorScript 210 printer and I can no longer use my SCSI CD changer because there are no drivers for it for OS 10. However, I still have my Mac IIFX, Quadra 950 and the beige G3, but I do not have the space to set them all up…

Maybe there are modern alternatives that can do as good (or nearly as good a job) for much less money? Pixelmator or GIMP for images, for example; Inkscape for vector graphics; Pages for Word; Keynote for Powerpoint? (Most people I know who have tried Keynote simply never go back to PPT. And Keynote, which was always fairly cheap, is now $0.)

Agreed. Nothing comes close to my beige G3 running 9.1. Personally clock-chipped it o 300 MHz. Blazing-fast on classic software and SCSI devices. None of that “working underwater” feeling that you still get even in the Mavericks environment.

I’m on Snow Leopard and the reason I haven’t upgraded to Lion, Mountain Lion or Mavericks is that they don’t support Rosetta. I run Microsoft Office X for Mac (2001) and would lose that by upgrading. I need the later, fully OSX-native Microsoft Office to dispense with Rosetta.

At the suggestion of an Apple Store Genius Bar techie, I was recently planning to upgrade from Snow Leopard until I discovered that Microsoft Office 2004 and earlier (including Office X) will not work as Rosetta (which is needed to transition PowerPC-based applications like Office X) is neither included nor supported in Lion or later. I’m glad at least I found out before upgrading!

Office X is already over-featured for what I need, but I can’t do without Word and PowerPoint.

And please don’t just tell me to shell out £100-odd for an up-to-date Office for Mac suite!

Well, if Word and PowerPoint are *that* important, presuambly for business purposes, surely £100 isn’t that much to pay? If you’ve made your current version of Office last 13 years, then the per year cost is pretty low.

You could, of course, just use Pages and Keynote instead. They’re native Mac apps and they are free. Or just grab Libre Office and you’ll never need to pay for Microsoft Office again.

I often wonder how much people who go out of their way to save £100 on a software upgrade end up costing themselves in time, added security risk, and incompatibility? (How on earth do you open Office files from the vast majority who have recent versions of Office, which use file formats incompatibile with yours?)

I have a 4GB MacBook Pro and upgraded to Mavericks — briefly. After a few weeks with it, I had to return to Mountain Lion because it was just too damned slow. Admittedly, it is a 5 year old laptop, but I do not feel it’s justified to throw any more money at it, even for a memory upgrade. With the exception of the advice to go to Mavericks, this document hits all the right notes. For those who do NOT think an OSX machine can get viruses, you apparently haven’t been watching your Mac-based antivirus program catch mainly Internet threats before they land on your hard disk. I’ve seen a steady increase in OSX threats over the last few years.

I too upgraded to Mavericks as recommended and found it slower than molasses, it did not support my digital camera software, it messed up my printer software,and it changed my gmail in ways I didn’t like. So I had to have Apple support help me delete Mavericks and reinstall OSX 10.6.8 (from my backup hard drive, which I’m so happy I had). I’m much happier now and just crossing its my fingers that Apple will update 10.6.8. By the way, does Sophos update its antivirus software for Mac? I installed it but have seen no upgrades.

If you want to see if updates are working you can right click the shield and choose “Update Now.” This makes the update process visible in a popup window. Also, while an update is downloading, the “S” in the shield becomes a small arrow moving downwards.

Sophos always (or, at least very often) hangs when doing a fast users switch. This should be fixed. I used the latest Enterprise version of Sophos AV on Mavericks. Happens also with the free SAV version.

I’m afraid I can’t offer you advice or support for your Fast User Switching problems – if you’re an enterprise customer I presume you have tried support – but I do have a solution for you.

Don’t use fast user switching 🙂

(I don’t have a lot of science to go on here. But I’ve never been a fan of “fake logouts,” which is pretty much what Fast User Switching is. It lets you log in as user X and user Y, and perhaps Z and M as well, simulataneouly, but shields all but one of the users from the keyboard and mouse. It can be very handy – standard example is flipping to an account that doesn’t have all your work files lying on the desktop when you want to do a presentation. But I am convinced it gives a false sense of security, since switching from user X to Y gives the impression that X has logged out, where in fact all X’s processes keep on going.)

That doesn’t fix your latent problems with Sophos Anti-Virus, or (to be fair to us) what might be an interaction between SAV and some other app that doesn’t like running in two sessions at a time, and I’m not offering it as an excuse or explanation. I’d recommend to anyone to be logged in, or logged out (or shut down), and nowhere in between. Just feels leaner, meaner and cleaner to me.

Much as I agree that Apple is not up to par with their attention to security, certainly over the past year, I have to take exception to your praise of Microsoft’s monthly update approach versus Apple’s ‘when they feel like it’ approach. Removing the ‘feel’ aspect of Apple’s approach, providing random security updates is EXACTLY the way to do it. Scheduling regular expected security like clockwork is exactly the WRONG way to do it. Why: (And note that this is a very old subject of contention). You want two things:

1) Get the security update out ASAP. No waiting around for any schedule. Throw the schedule away and never return to it. The goal is only ASAP fixes, nothing else.

Having an expected schedule means handing the malware and exploit rats a critical tool to help them perform their evil deeds. You’ve let them know when the updates are coming out. They sit poised at the ready, slurp in the CVEs that were patched, then rapidly rip out into the wild exploits and malware to take advantage of them. This is quite effective because there is consistently a large number of users who do NOT install security updates the moment they’re released, therefore they get a pwn-job. ‘Gee thanks!’ reply the malware rats.

2) Automatic random patches without fanfare or expectation. Apple is able to make malware inert ASAP via its XProtect system. Malware hits the streets, Apple blocks it in XProtect, silently, in the background, the user and the malware rats never know unless they’re constantly surveilling the XProtect background updates. Now, admittedly Apple did a face plant with XProtect this past year, missing several in-the-wild malware. They had to be shamed in public to catch up, a recurring theme in Apple’s history. But their approach with XProtect is brilliant. It’s so background and unnoticed that it wasn’t even mentioned in this article.

You seem to be suggesting that the crooks will more easily be able to reverse engineer a patch if they don’t know what day it’s coming out than if it comes out on the second Tuesday of the month – even though, once published, each type of patch is 100% public.

I find that astonishingly hard to believe. Reversing a patch becomes feasible immediately a patch is published, and not before.

(By the way, I trust you can see the irony in your claim that XProtect’s “brilliance” that it is “background and unnoticed,” while also noting that Apple “had to be shamed in public to catch up.” If Apple’s “automatic random patches without fanfare or expectation” were timely and effective, you might have a point. But they aren’t, so you don’t.)

Two things about Microsoft’s Patch Tuesday: it is not ony regular, *but frequent*. In other words, it’s self-imposed pressure on Microsoft to keep producing patches *even when it doesn’t feel like it*.

Anyway, having a regular schedule for privately-disclosed doesn’t mean you can’t also publish special-case urgent updates whenever you want, as Microsoft sometimes does.

In short, Apple seems IMO to lack regularity, frequency and urgency in its updates, and “when the vendor feels like it” isn’t really good enough these days.

Yes Paul. Like many others, I see zero point in handing patches to the malware and exploit rats on a plate on an appointed day. There’s no defense for that behavior other than the fact that many IT staff are lazy and like it that way, which of course is an idiotic excuse.

As for XProtect being “an anti-virus,”

I never called it that. Anti-malware is the accurate term. Tradition is no reason to keep using the ‘virus’ word when it doesn’t actually apply.

What Apple called XProtect, I don’t know. But the way it works is to do the very traditional anti-malware thing of using malware signatures to stop it from being run in the system. You know how it works.

As for irony: I am very explicit in what I write. Please read what I write and direct your comments to what I write. I kept the ‘ironic’ issues entirely separate. They should be addressed as separate issues.

As for the issue of ‘frequent’, thats ridiculous. I know your work well enough to expect you know exactly what I meant by ASAP patching. There’s nothing ‘frequent’ about holding onto a patch for weeks until the second Tuesday of the month. It is in fact irresponsible IMHO. Isn’t it.

Are Apple patches frequent enough? That’s an important question and we know in some cases the answer is NO! I recall the Java security hole mess from 2012 and 2013 when we learned that BOTH Apple and Oracle had sat on Java patches for months on end. That’s of course not acceptable.

However, we both know that the patches Apple has to make are often less frequent because there are fewer to make. That’s also a factor. IOW, if Apple got foolish and did the scheduled security patch routine, there would be months with NO patches to make.

As I expect you comprehend, I’m specifically stating that ALL patches should be ‘special-case urgent’ patches, no exceptions. Get them out ASAP. That’s the responsible solution. Scheduled patching is irresponsible. I’m that simple and direct in my assertion. That’s not going to change.

We both agree that the ‘feel like it’ factor is irresponsible for the reasons I state above. ASAP patching. Tough luck if the lazy IT staff don’t like it. Tough luck if the malware rats don’t like it.

Sorry, you simply haven’t convinced me that it’s easier for a crook to reverse engineer a patch into an exploit if the patch comes out on a Tuesday. Once a patch is published, it can be reversed. That may or may not produce a working exploit. (It’s not always as easy as you might think to do that, but it’s reasonable to assume that it’s no easier on the second Tuesday of a month that at any other time. If you assert that it is, you need to produce some evidence, or at least a plausible explanation.)

What you may be trying to say – I’m not sure – is that a lack of advance warning makes it trickier for the crooks. I can’t see why it would, but if it’s the predictability you don’t like in Patch Tuesday, please remember that Apple makes its actual updates available in advance to developers, often for weeks on end. Each week you even get the latest updates to the forthcoming updates! (Microsoft, in contrast, announces the total number of Patch Tuesday fixes, and which products are affacted, but the actual code and the description of what was fixed appear *on Patch Tuesday and not before*.)

So the crooks actually get hold of Apple’s patches before they ship to the general public, giving them even more time to get ready.

As for your statement that “we both know the patches Apple has to make are often less frequent because there are fewer to make,” there two problems with that.

Firstly, you are putting words in my mouth. Please don’t do that.

Secondly, I say you’re wrong.

You claim that I know that “if Apple got foolish and did the scheduled security patch routine, there would be months with NO patches to make,” but the evidence is entirely against that.

Apple shipped 10.9.2 just a shade over two months after 10.9.1. In 10.9.2, there are close to *thirty* separately disclosed security holes patched in `10.9.1, of which about half are classified as remote code execution holes. (That’s where just browsing to a website could infect your Mac.)

Now convince me that there would have been nothing for Apple to ship at the end of January 2014, one month between 10.9.1 and 10.9.2 🙂

Most of these replies seem to be complaining and whining. I’m surprised that on the Sophos site, PC savvy people aren’t willing to put in the work on their own machines. You do realize that they are doing updates to help you? And while it seems unfair (bring out update after update, uninstall and pay for updated 3rd party software) the truth is that this is how it is.

You do a disservice to yourself to think that because a PC worked fine for 4 years without issue that there is nothing wrong with it or that its the best iteration. I used to think like that; until my 1st virus appeared on my home computer in 1992.

I am a current user of Sophos Antivirus for Mac, and on my current laptop it works great. I also have an SSD on this laptop. When I had a real hard drive in my previous laptop, I had to disable the on-access scanning, because it *did* slow down the computer noticeably. The most obvious place was in the Finder when loading directory listings… with the on-access scanning disabled, everything would show up in the window almost instantly when you opened it. With it enabled, I’d have to wait 2 or 3 seconds for the file listing to appear and another 10 or 15 seconds for it to load the icons to go with the filenames. That was a early 2011 model MacBook Pro, so it wasn’t exactly old.

In my Late 2012 MacBook Pro with the SSD in it I don’t notice the difference with the on-access scanning enabled.

As noted, that experience is from 2 years ago, so maybe that problem has been worked out since then. I haven’t used it on a machine with a real hard drive in that time.

So I downloaded Sophos, and it resulted in me not being able to access the internet because it interfered with my connection ability — I had to go to the Apple Store, and they sorted it for me. Then I looked down this article and noticed it recommended using FileVault — another red flag for me, because using that caused me no end of trouble some years ago. So I’m not impressed with this software/site…

DON’T upgrade to Mavericks unless you have a new MacBook pro with 16GB of memory! Mavericks does not work properly. It is slow (spinning beachball of death) launching applications, cannot deal with multiple applications requesting network access and crashes frequently if you install the unecessary sophos anti virus. Ignore the climate of security fear sophos is trying to encourage with this article.
There is a choice to be made here between a functional system and a “secure” one. An unnetworked computer isolated in a faraday cage is secure but not much use for everyday needs. By upgrading to Mavericks and instaalling sophos anti virus you effectively create a secure computer inaccessible in a cage.

If you use FDE, or “full disk encryption” (like FileVault), then your files are automatically unscrambled as they are read in and rescrambled when written back to disk. So your backup program sees the files as if they were unencrypted.

This is both a strength (applications don’t need to take care of the decryption themselves; indeed it is invisible to them), and a weakness (if you copy a file onto an unencrypted device, the copy doesn’t get rescrambled).

Time Machine lets you create encrypted backups, again in this automatic way, so it can still work incrementally.